IAM CI/CD - Support for multiple ECR repositories

This breaking change affects usage of module iam-policies-cicd

Affected versions

• All versions before iam-policies-cicd-v0.1.0
• All templates referencing ref=main

The iam-policies-cicd template referenced ref=33b1985bc730232c18a19d31c0024b71065bcbc8 before iam-policies-cicd-v0.1.0 was released

Rationale

When setting up IAM CI/CD policy documents it is necessary to support more than a single ECR repository.

Previous versions defined a single ARN in ecr_repository_arn while iam-policies-cicd-v0.1.0 introduced a list of ECR names in ecr_repository_names.

Related issues

• PR: Support for multiple ECR repositories in IAM CI/CD module

Manual upgrades

Changes to iam_cicd.tf. Before:

module "iam_policies_cicd" {
  source = "git@github.com:oslokommune/golden-path-iac//terraform/modules/iam-policies-cicd?ref=main"
  ecr_repository_arn = "full:arn"
}

After (note the change from a single ARN to a list of repository names):

locals {
  ecr_repository_names = ["api-app", "frontend-app"]
}

module "iam_policies_cicd" {
  source = "git@github.com:oslokommune/golden-path-iac//terraform/modules/iam-policies-cicd?ref=iam-policies-cicd-v0.1.0"

  ecr_repository_names = local.ecr_repository_names
}

Commit and push changes.

After upgrade

After doing the changes above, the next Terraform plan should include these changes:

• aws_iam_policy.ecr_read_write will be destroyed
• One aws_iam_policy.ecr_read_write resource per application defined in ecr_repository_names will be created
• Changes to module.iam_assumable_role_github_oidc, this can depend on your setup